|
 |
15f1cc4 |
From: Mamoru TASAKA <mtasaka@fedoraproject.org>
|
|
|
15f1cc4 |
Date: Sun, 18 Dec 2022 00:22:04 +0000 (+0900)
|
|
|
15f1cc4 |
Subject: Bug 706227: png_write_band: initialize stream before calling deflateBound
|
|
|
15f1cc4 |
X-Git-Url: http://git.ghostscript.com/?p=mupdf.git;a=commitdiff_plain;h=a76b4ed0d3a2c7e52bba2d6c10b44d11d5ade2fe
|
|
|
15f1cc4 |
|
|
|
15f1cc4 |
Bug 706227: png_write_band: initialize stream before calling deflateBound
|
|
|
15f1cc4 |
|
|
|
15f1cc4 |
zlib deflateBound manual says when calling this function,
|
|
|
15f1cc4 |
stream should have been initialized via a call to deflateInit_()
|
|
|
15f1cc4 |
or deflateInit2_(), so change so.
|
|
|
15f1cc4 |
|
|
|
15f1cc4 |
Note that without this fix, "mutool draw -F png" segfaults on s390x,
|
|
|
15f1cc4 |
perhaps on big endian, uninitialized bytes of a value (which is
|
|
|
15f1cc4 |
not wholly initialized) is read, on the other hand, on little endian
|
|
|
15f1cc4 |
initialized bytes of the value is read, so it happens not to cause
|
|
|
15f1cc4 |
segfault.
|
|
|
15f1cc4 |
|
|
|
15f1cc4 |
Fixes https://bugs.ghostscript.com/show_bug.cgi?id=706227
|
|
|
15f1cc4 |
---
|
|
|
15f1cc4 |
|
|
|
15f1cc4 |
diff --git a/source/fitz/output-png.c b/source/fitz/output-png.c
|
|
|
15f1cc4 |
index 17279f913..979c75eeb 100644
|
|
|
15f1cc4 |
--- a/source/fitz/output-png.c
|
|
|
15f1cc4 |
+++ b/source/fitz/output-png.c
|
|
|
15f1cc4 |
@@ -236,6 +236,12 @@ png_write_band(fz_context *ctx, fz_band_writer *writer_, int stride, int band_st
|
|
|
15f1cc4 |
if (usize > SIZE_MAX / band_height)
|
|
|
15f1cc4 |
fz_throw(ctx, FZ_ERROR_GENERIC, "png data too large.");
|
|
|
15f1cc4 |
usize *= band_height;
|
|
|
15f1cc4 |
+ writer->stream.opaque = ctx;
|
|
|
15f1cc4 |
+ writer->stream.zalloc = fz_zlib_alloc;
|
|
|
15f1cc4 |
+ writer->stream.zfree = fz_zlib_free;
|
|
|
15f1cc4 |
+ err = deflateInit(&writer->stream, Z_DEFAULT_COMPRESSION);
|
|
|
15f1cc4 |
+ if (err != Z_OK)
|
|
|
15f1cc4 |
+ fz_throw(ctx, FZ_ERROR_GENERIC, "compression error %d", err);
|
|
|
15f1cc4 |
writer->usize = usize;
|
|
|
15f1cc4 |
/* Now figure out how large a buffer we need to compress into.
|
|
|
15f1cc4 |
* deflateBound always expands a bit, and it's limited by being
|
|
|
15f1cc4 |
@@ -245,12 +251,6 @@ png_write_band(fz_context *ctx, fz_band_writer *writer_, int stride, int band_st
|
|
|
15f1cc4 |
writer->csize = UINT32_MAX;
|
|
|
15f1cc4 |
writer->udata = Memento_label(fz_malloc(ctx, writer->usize), "png_write_udata");
|
|
|
15f1cc4 |
writer->cdata = Memento_label(fz_malloc(ctx, writer->csize), "png_write_cdata");
|
|
|
15f1cc4 |
- writer->stream.opaque = ctx;
|
|
|
15f1cc4 |
- writer->stream.zalloc = fz_zlib_alloc;
|
|
|
15f1cc4 |
- writer->stream.zfree = fz_zlib_free;
|
|
|
15f1cc4 |
- err = deflateInit(&writer->stream, Z_DEFAULT_COMPRESSION);
|
|
|
15f1cc4 |
- if (err != Z_OK)
|
|
|
15f1cc4 |
- fz_throw(ctx, FZ_ERROR_GENERIC, "compression error %d", err);
|
|
|
15f1cc4 |
}
|
|
|
15f1cc4 |
|
|
|
15f1cc4 |
dp = writer->udata;
|